Source anchors
How to use this checklist
Use this checklist to audit whether the service can show a live risk register with clear risks, controls, owners, reviews, escalation decisions and closure evidence. It can be used monthly, before provider review, after a serious incident, or before an inspection-readiness review.
Risk management should be proportionate. The aim is not a long register. The aim is a register that shows the service knows its significant risks and is taking action that can be evidenced.
For each row, record:
- Met: evidence is current and complete.
- Part met: evidence exists but has a gap or needs follow-up.
- Not met: evidence is absent or the control is not working.
- Not applicable: the service does not carry out this activity.
Every Part met or Not met item should create an action with an owner and due date.
The PDF is designed for printing, or for completing on screen with a PDF viewer's Fill & Sign, Markup or comment tools. Use those tools to tick boxes and type into the lines.
Service details
| Field |
Local entry |
| Service name |
|
| Location |
|
| Date completed |
|
| Completed by |
|
| Registered Manager |
|
| Provider lead |
|
| Period reviewed |
|
| Number of risks sampled |
|
1. Register structure and ownership
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Risk register exists and is current. |
Risk register, last review date. |
|
|
|
| Each risk has a clear title and description. |
Risk sample. |
|
|
|
| Each risk names affected people, area or service. |
Risk sample, service map. |
|
|
|
| Each risk has an owner. |
Risk register, role list. |
|
|
|
| Risk rating model is defined and understood. |
Procedure, governance record, staff interview. |
|
|
|
| Register includes review dates and current status. |
Risk register, review report. |
|
|
|
2. Identification and assessment
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Risks are identified from incidents, complaints, safeguarding, audits and staff feedback. |
Cross-linked records, governance report. |
|
|
|
| Assessment records what could happen and who could be affected. |
Risk sample. |
|
|
|
| Existing controls are recorded. |
Risk sample, evidence of controls. |
|
|
|
| Likelihood and impact are recorded with rationale for high or extreme risks. |
Risk rating sample. |
|
|
|
| Assessment considers rights, choices and dignity where relevant. |
Person-centred risk sample. |
|
|
|
| Risk is reviewed after material change or new information. |
Review history, incident link, update note. |
|
|
|
3. Controls and actions
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Controls are specific enough to be checked. |
Risk sample, control description. |
|
|
|
| Actions have owner, due date and completion evidence requirement. |
Action log, improvement record. |
|
|
|
| Overdue actions are visible and escalated. |
Action tracker, governance minutes. |
|
|
|
| Controls dependent on staff behaviour are checked in practice. |
Observation, audit, supervision record. |
|
|
|
| High or repeated risks lead to stronger controls or escalation. |
Risk history, escalation note. |
|
|
|
| Action completion changes the risk rating only when evidence supports it. |
Risk update, completion evidence. |
|
|
|
4. Review and escalation
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Review frequency is proportionate to rating. |
Procedure, risk register. |
|
|
|
| High and extreme risks are reviewed at governance. |
Governance minutes, risk report. |
|
|
|
| Provider-level review is visible for persistent or resource-dependent risks. |
Provider minutes, Nominated Individual note. |
|
|
|
| Escalation decisions record route, reason and outcome. |
Escalation note, external correspondence. |
|
|
|
| Immediate-risk situations are escalated without waiting for routine meetings. |
Incident/risk timeline, call note. |
|
|
|
| Accepted risks have senior approval and review plan. |
Accepted-risk record, approval note. |
|
|
|
5. Links with other governance records
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Serious or repeated incidents update the risk register. |
Linked incident, risk update. |
|
|
|
| Complaint themes update the risk register where needed. |
Complaint theme report, risk update. |
|
|
|
| Safeguarding concerns update the risk register where needed. |
Safeguarding review, risk update. |
|
|
|
| Audit failures update the risk register where needed. |
Audit report, risk update. |
|
|
|
| Business continuity, staffing and training risks are represented where relevant. |
BCP record, rota review, training matrix. |
|
|
|
| Person-level risks that show a wider service issue are escalated to service-level risk. |
Care record theme, risk register. |
|
|
|
6. Closure quality
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Closed risks have closure reason and evidence. |
Closed risk sample. |
|
|
|
| Closure is approved by the right person. |
Closure approval, role list. |
|
|
|
| Risk is not closed only because one action completed. |
Closure rationale, residual risk review. |
|
|
|
| Ongoing monitoring is recorded where risk remains accepted. |
Review plan, governance minute. |
|
|
|
| Reopened risks show why previous controls were not enough. |
Reopened risk record, trend review. |
|
|
|
7. Summary judgement
| Question |
Answer |
| What are the service's top three current risks? |
|
| Which high or extreme risk has the weakest control evidence? |
|
| Which risk has overdue action or overdue review? |
|
| Which repeated incident or complaint theme is missing from the risk register? |
|
| What would a CQC inspector see if they asked for the live risk register today? |
|
8. Action log
| Action |
Source check |
Owner |
Due date |
Completion evidence |
|
|
|
|
|
9. Completion
| Sign-off |
Name |
Date |
| Completed by |
|
|
| Reviewed by Registered Manager |
|
|
This checklist is a working tool. It does not replace live regulator guidance, health and safety advice, safeguarding advice, the service's own risk policy, legal advice or professional judgement.
Related reading
This checklist is a starting point and a guide to what inspectors look for. It is not a complete or deployable procedure, and it is not legal advice. Working through it does not guarantee a rating or compliance. Check all regulatory references and timescales against current primary sources and adapt it to your own service.